Goatse Security's research team has earned a name for themselves discovering a number of gaping holes in software and web sites alike. But none was bigger than their discovery that AT&T was virtually handing out iPad users emails. In an attempt to force AT&T to cover its hole and protect its users, the Goatse Sec shared the incident with the news, after their requests to AT&T went answered (according to the group's accounting). And though they never released the emails they obtained in full, they now are standing trial on a variety of charges concocted by the FBI and various federal authorities [interview].

On Wednesday night, Goatse Sec's already colorful blog became even more so, when the organization's apparent falling out with a former administrator/team member resulted in their blog page being defaced and other mischief enacted.

I have taken the liberty of exposing your gaping hole, and hope in doing so that I’ve given your balls a good twist. As you are a group of self-aggrandizing tw*ts, I have also contacted the media to ensure that this incident gets the coverage it deserves.

In cracking this site, I have sent specially crafted requests to the server with my browser ID spoofed to that of an iPad. Please know that while this was not instrumental in this wondrous crack, it _WAS_ poetic in many ways. I also gave Goatsec the same warning that they gave AT&T… none at all, to patch their gaping hole.
User Accounts have been deleted, and passwords changed.

AAAAAAAAAAAAAAAAAAAAAAND THE PREVIOUS ADMIN PASSWORD IS… T2!p*uje7ru*
Props to: The FBI, OseK, MadMax, mre|666, Scratch (Isuki), Sigdie, anyone who knows what Sigdie is, Krashed (because it’ll make Bratty happy to see his name on a deface page, even if he didn’t have sh*t to do with it)
F*ckoff to: LoRez (F*CK YOU), weev, Apple, AT&T, MI-5, Harry Pierce, and %$# *!&$@^@ everywhere.

That message lit up Goatse Sec's site for a couple of hours of the evening Wednesday night. By 6:30 p.m. the site was restored to working order.

CNETentered a discussion with a person claiming to be the admin, who went by the handle #Sigdie (same as in the defaced post) on the EFnet Internet Relay Chat (IRC). He claimed to be acting alone, and said that he is a security professional. He states, "I felt it was appropriate to give them a taste of their own medicine. I felt some negative publicity would hopefully cool things down and force them to rethink their behavior."

We discussed the incident via email with Goatse Sec. spokesperson Leon Kaiser. Mr. Kaiser was quoted in CNET as saying, "It appears that someone has found the root password to the Goatse Security blog. Ironically, in doing so, the person in question has broken more laws than 'Weev' or 'JacksonBrown' are accused of breaking."

Mr. Kaiser gives us more details about CNET's claim that the hacker secured a "root" password, stating, "By "root", I just meant admin on the blog's backend."

As to the accusation that the admin broke laws, he clarifies, "As for the lawbreaking comment, it was mostly sarcastic (we did not have all of the details at the time, either.)"

As to what made the former team member so disgruntled, Mr. Kaiser tells us, "We honestly have no idea what made him so angry. I suppose you could compare the incident to a disgruntled former employee stealing from a company."

Early in the morning an email from Kevin Lynne at Full Disclosure was posted, claiming [email]:

Knowing one of the people listed in the shout-outs, I told them about the props and they got back with the following statement: "After doing some digging, [I] found out that they did it to their own website to generate publicity. The person responsible told me he didn't think anything would happen from it so he used my old nick. He apologized to me and said he'll not do something like that in the future. "

Goatse Sec denies that the vandalism was done as some sort of social engineering stunt or publicity attempt. Of course that's the tough part about being security professionals or hackers -- when they get attacked, everyone automatically assumes it was faked for attention, since they, after all, are the masters of social engineering.

Mr. Kaiser also offered us some new information. He says that the person first posting [email] to Full Disclosure with news of the hack -- "Andrew Kirch" email:trelane at trelane.net -- was the person responsible. Andrew Kirch is an Indianapolis, Indiana native [Linked In] [Facebook] [blog].

Mr. Kaiser says that while Mr. Kirch wasn't the former team member involved, that he was likely given the blog's admin password by the unnamed disgruntled former team member, and used it to execute the attack. He states, "Mr. Kirch wasn't actually a member of our team. We're pretty sure that a former member of the team gave him the admin login."

Mr. Kirch describes himself writing:

I'm a 28 year old Open Source politician. I've used Open Source for years and am active in the community working on the community itself. This is a largely thankless job involving long days of convincing people I'm right.
Outside of that I'm a fiscally conservative social libertarian from Indiana in the USA (no I'm not a supporter of Ron Paul). I'm a member of the NRA, and I get range time in as frequently as possible. I own a company which deploys open source software to reduce the cost of phone service to those living in apartment complexes, and am on the board of a second company which develops websites that use Drupal, just like this one.

Update: Friday 1/28/2011, 12:25 p.m. -

We received a message back from Andrew Kirch, who offered us chat logs, which he claims show Leon Kaiser to be coordinating the defacement as a publicity stunt. He writes:

He believes this? He helped coordinate it.

He provided us with evidence of this, which does seem to indicate this. We were not allowed to publish this evidence.

He adds:

I was an admin before he was, and the password was given to me by the (Then current) PR guy.

Update 2: Friday 1/28/2011, 12:45 p.m.

Leon Kaiser tells us:

I was not misleading you. This was an individual who literally did not inform us ahead of time that this is what he was doing. Since "trelane" was on our IRC server, we felt it best to engineer the password out of him, which we eventually did. After I did that, I locked him out of the site and changed the password. Everything said below was part of an attempt to regain control of our blog.

Oh, additionally, we kickbanned him from the channel once we got the password.

At this point it's kind of hard to figure out who to believe, so draw your own conclusions.

Update 3: Friday 1/28/2011, 12:55 p.m.

Leon Kaiser provides us with the following IRC log, supporting his claims:

Leon Kaiser adds, "So, basically what happened was that trelane vandalized the site, apparently to get noticed by the media. He then came to us acting like he did it to help. I pretended to go along until I got the password, then promptly kickbanned him from the channel, and fixed the site as much as I could."

He adds that he apologizes for the confusion that ensued.

Update 4: Friday, 1/28/2011 2:00 p.m. -

Andrew Kirch has permitted us to publish his copy of a separate earlier chat log, which he claims proves his account:

He adds, "With this said, it's a password I gave them immediately. I have nothing against them, and they did everything they could to push the publicity, had me in the ##press channel working on it until one member, sloth, started to rage about the whole thing. Then they decided to distance themselves."

At this point both parties offer plausible stories, but its unclear who is telling the truth.

Comments

Threshold

Username

Password

remember me

This article is over a month old, voting and posting comments is disabled

Goatse security is obviously ran by children. At least it's apparent that they surround themselves with kids... I got over this kind of thing in the nineties, and eventually went out and got a real job. Lol who would actually take a company named after an internet shock site seriously anyway? After all the work legitimizing themselves with the at&t thing one would think that they wouldn't make themselves look retarded again. But they did.